You know how some scenes stick with you? Early on in my IT career, I learned a valuable lesson while on the job: The person who loses their temper is most likely the person to lose the issue at stake.
This story dates back to the early 1980s when I was working for a regional bank in one of the first positions hired specifically to manage computer security. Until then, no employee had been dedicated to system security at the bank, so the measures that had been implemented were very basic or inconsistent.
With a database team and a production team previously established, I initially took over user ID administration from someone in the database group who'd been doing that work on a part-time basis.
Plugging the security holes
As I delved deeper into the issue, I discovered the bank had next to no security on the mainframe's production files. Anyone in the bank who had access to the mainframe's time-sharing system had read-write-purge permissions to all production files. This list included every IT person in the bank, even those who didn't need access to them to do their work.
Amazingly, a few accidental deletions were the only problems they'd had in that time. I drafted a cautious plan to restructure permissions so that programmers could read production files, but could not alter or delete them. Nonprogrammers with time-sharing access would not be allowed to even read production files.
For most functions, programmers only needed to be able to read production files, and the bank already had a process in place if a file had to be updated with a temporary programming change. My plan included a process for them to get management approval when a file required a direct edit.
My boss approved the plan. We expected some pushback from the programmers about the new security measures and braced ourselves accordingly. They didn't disappoint.
After reading the plan, some programmers came by with choice words or questions. The worst was one very irate programmer who stormed into my office and called me a "Nazi" for taking away permissions to "his" files! I patiently explained that the audit folks were finally catching on to our alarming lack of compliance with sound security practices, so we had to make these changes. He wasn't happy, but left without further argument.
Otherwise, the plan was implemented with no issues.
Security means security means security
Then the unexpected happened. The on-site security manager had apparently come to the realization that a new security team had been hired. He took exception to the fact that we were working on "security," but did not report to him. However, his security crew had nothing to do with computers beyond physical security -- meaning guards and access badges. Somehow he felt that we worked with security, therefore we did the same thing. In response, he launched a turf war.
Sign up for CIO Asia eNewsletters.